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SUMMARY 


IC Is ofttai difficult if not impossible to analyze a design of a large, 
complex system with rest^ect to its reliability parametevs and maintenance 
chars :teristics when numerous elemencs are functionally interdependent. A 
recent result has shown that, for a certain class of systems, the interdepen*' 
dency among the elements of such a system together with the elements consti- 
tutes a mathematical structure a partially ordered set. It is called a 
Inop-ftfeC logic model of the system. On the basis of an intrinsic property of 
the mathematical structure, a characterization of system component failure in 
terms of maximal subsets of bad test signals of the system was obtained. 

Also, as a consequence, information concerning the total number of failure 
components in the system was deduced. Detailed examples are given to show how 
to restructure re-^l systems containing loops into loop-free models for which 
the result is applicable. 


introduct:on 


Availability is a system parameter and is used to measure the operational 
readiness of a system/ equipment by the reliability and maintainability 
engineering community. It is defined as the ratio of mean time to failure 
(MTTF) to the sum of mean time to repair (MTTR) and MTTF. According to the 
definition, availability is a child of the marriage between these two 
disciplines. The theory of reliability d'»als with a system's ability to 
perform its intended function under a prescribed condition for a period of 
time without failure. Maintainability concerns itself with a system's 
ability to restore a system to its operational condition or to prevent 
unnecessary failure. In both instances, time is the important common factor 
used to measure the "up" condition (free from failure) on the one hand and 
the "down" condition (by failure) on the other. 

One way to increase system availability is to reduce the MTTR which 
partly hinges on the ability to correctly prognosticate the state of the sys- 
tem and to identify the failed components if the system is malfunctioning. 

Recently, the U.S. Army Research and Technologies at Moffett Field, 
California, established a mathematical basis for complex systems without 
loops — called a logic model theory. In the theory it has been established 
(ref. 1) that the minimum number of test points required for conclusive 
detection of system failure is equal to the total number of terminal test 
points; this set of points constitutes the optimal choice. This result is 
useful for system checkout or prognosis. On the basis of the theory, we have 
etablished some results whose application is complementary to that of the 
foregoing one. In particular, it is shown that every maximal subset of bad 
events of the system corresponds to a failed component, and the converse of 
this statement is also true if a further assumption is imposed. Also, as a 
consequence, it has been deduced that the total number of failures is at 
least as many as the total number of maximal subsets of bad events. 



ASSUMPTIONS AND DEFINITIONS 


In this section, we shall state explicitly the assumptions and definitions 
upon which the following development Is baaed. It Is hypothesized that: 

1. At any instant or stage, the system or equipment under consideration 

may be in only one of two states: functioning or faulty, 

2., The system can be schematically decomposed into a finite nurriber of 
components (or modules), each of which, at any instant, is in one of the two 
possible states, 

2, The state of the system depends solely on the states of its 
components, 

4, The system is loop^free, 

Hypothesla (1) Is a realistic assumption because. If the performance level of 
a given component Is degraded to an "unsatisfactory" level (or beyond the 
tolerance as specified In the specifications of the equipment), then the com- 
ponent Is In the malfunctioning state. Assumption (2) demands only the 
feasibility of schematic system decomposition, not necessarily a physical 
decomposition. Also, It la tacitly assiuned In (3) that a proper environment 
exists for the system under question. This also Implies that Input to the 
syste,m Is considered to be good. Assumption (4) Imposes a limitation on the 
applicability of this study to systems containing functional dependence 
loops. For those cases, one should restructure each functional loop as a 
component and an event. Hence the resulting model would be loop-free. 

In addition to the above assumptions, one needs the following. 

C = nonempty finite set of all components of a given system. 

E = nonempty finite set of all events (signals) of the system. 

S i set of all functional entitles, defined to be the union of C and E. 

P = set of all peripheral components. 

U = C 'J P or P U C 

A partially ordered set P Is a structure consisting of a set S and a 
relation * satisfying the following postulates: 

1. (Reflexive): a ' b and b ' a hold If and only If a ■ b, where 

a,b € S. 

2. (Transitive): a ~ b and b ~ c Imply a ~ c, where a,b,c € S. 
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Let a»0 £ St Then a depende functionally on 0 (aymbolically , a < 0) 
if there exist functional entities • • •« *uch that 

£|i ^ 0* 

An event (or signal) is said to be bad if it is out of specification; 
otherwise, it is said to be good, A component in a loop-free system is said 
to be malfunctioning if all its input signals (events) are good and at least 
one of its output signals (events) is bad; it is said to be functioning if 
all its outputs are good. 

A^(Oj) = {s € E I a < Oj) , Oj is an output oi; a, a € c. 

”L(0.) 5 all events (signals) in A (OJ are bad. 

“ j ® j 

Let a € c and Oj be an output of a. Then a_ set of bad events (signals) , 
A^(Oj), is laid to be maximal if for all b € u, A^(Oj) ^ \^^i^ implies 

S.<Oj) - \(o^). 


Now we state the last assumption, which allows for flexibility in model- 
ing at different levels. 

5. For every event s 6 e, there is a .component c € u having s ae 
ite outpuc. 

Finally, in the interest of completeness, we define explicitly the following 
r erms . 


Component — a collection of one or more items. 

Event (signal) — a measurable or observable quantity. 

Functional entity — a component or an event. 

Dependence — a functional relationship between two functional entities. 

Dependency chain — a collection of two or more functional entities for 
which dependence exists. 

Loop — a closed dependence chain. 

BACKGROUND 

In this section we discuss the basic idea of the logic model concept 
together with some notions that will be required to understand the following 
development . 
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Structurally, a logic nodal conaiata of a collactlon of dapendancy 
chalna arrangad in a particular ordar that raflacta tha functional ralation- 
■hip that axlatad batwaan tha compunanta and tha obaarvabla or moaaurabla 
•tata of natura of a ayatan or aquipmant. Tha dapandancy chalna ara tha baalc 
building block of tha 1 >glc nodal concapt. A almpla axampla of a dapandancy 
chain can ba llluatratao by tha "black-box" concapt aa follova: 


X 

Y 

Z 

Input signal 


Output signal 


Black box 


This simple Input-output machanlsm shows that the output signal Z depends 
functionally on tha operational status of the black box Y (or simply the 
black box Y) and the Input signal X. The dependency chain of this simple 
mechanism Is plctorlally r 'presented as 


X Y 2 

□ 

A 0 □ 


where □ represents an observable or measurable state of nature, O represents 
the functional component, and A denotes the dependency of one functional 
entity on another. This symbolic representation of the dependency chain also 
yields a logic model of the mech.anlstn *- a logic model that consists of only 
one dependency chain. 

A more complex example Is a simple power relay circuit together with a 
logic model as shown In figure 1. This logic model consists of four depen- 
dency chains. Note that, for example, the signal at TP-2 depends on the 
operational status of the transformer T1 and the signal at TP-1. This Is a 
dependency chain and It reflects the power transition portion on one leg of 
the transformer, whereas the chain corresponding to TP-3 reflects power 
transition for the other output leg. 

The foregoing example has been generated manually and reported in refer- 
ence 2. In this case, the manual generation of the model has been an easy 
task because there are altogether only a f<tw functional entitles in the 
model — five events and three component'). (Note items SI and R1 together are 
considered as a component.) For a more detailed modeling of a complex sys- 
tem, an automated capability for generating a logic model nor. only is desirable 
but becomes necessary. 
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CHARACTERIZATION OF COMPONENT FAILURE 


Th« Mt of All functionAl S togothcr with th« funcClonal 

d«p«ndonc«» <» as a rslAtlon on S constltutAo a mAthsmAticAl structurs. In 
fActi AS WAS AstAblishAd in A provlous rsport (rsf. 1), svsry loop-frss logic 
nodAl is A pArtUlly ordsrsd sst. And from this soms IntArAstlng results thst 
Are useful for melntenence enelysls were deduced. 

This unique property of logic models enebles us to obtain a chArACterl- 
zAtlon of system component failure phenomena, whose proof Is given In tUe 
appendix. 

Th«orem 1; Lmt a e c and L ba a loop- free l^gio model. Then oomoo- 
nent a ie malfmotioning if, for eorne output Oj of e, A^COj) ie a 
maximal eubeet of the set of all bad events in E. 

This pleasing result would not necessarily hold If the loop>free con- 
straint were relaxed. For then we could have a malfunctioning component In a 
loop and, In this case, the logic model Is not a partially ordered set. 

Hence the asymmetric property of a partially ordered set does not apply, and 
might lead to an Incorrect Identification of f.< led components. This 
undesirable feature on the applicability can be circumvented to a degree, pro- 
vided a certain degradation on the logic n»del is admitted. A detailed 
dscusslon along with some examples follows In the next section. 

The converse of the Theorem Is generally not true. So It Is somewhat 
unorthodox to call It a characterization because such usage Implies an 
equivalency of two statements In the mathematical literature. However, we do 
have a weaker equivalence result. 

Theorem 2: Suppose U contains at most one mal functioning component, 

and let L be a loop-free logic model. Then a component a € c is mal- 
functioning if and only if, for some output Oj of a, Aa(Oj) i'S maximal 
subset of tie set of all bad events in E. 

Before we continue, note that In this weaker form of characterization, 
an additional hypothesis Is assumed — namely, we allow not more than one 
failure component, at a given Instant, within both the system components and 
the peripheral components. Also, the Theorem would not be necessarily valid 
If the peripheral portion were omitted unless all the peripheral components 
were assumed to be good. 

The next result states that the totality of bad events In a malfunction- 
ing system Is precisely the set theoretic sum of all the maximal subsets of 
bad events In the system. 

Theorem 3: The set of all bad events in _E of a loop-free logic model 

is equal to tlw union of all maximal subsets A^COj) in E. 
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Finally, at a consaquanca of cha foragoing rasulta» va daduca tha follow- 
ing corollary. 

Coroltopy: If MOh aompcnent of a loop~f)ce4 logic model haa only one 
output, then the maribev of failed oomponenta of a matfunotioning ayatem ia 
equal to or greater than the total ni^er of maximal aubaeta of bad eventa. 

This Corollary can only concXuda that thara ara at laaat aa numy failad 
copponanta aa tha numbar of m«Alinal aubaata of bad avanta. Equalr^ty doaa not 
hold in ganaral bacauaa tha convaraa of Thaoram 1 la not nacaaaarlly crua. 


SYSTEMS WITH LOOPS 


It la not uncommon for ayatama to contain cloaad depandanca chalna or 
loopa, aapaclally in alactronlc aqulpmant. Aa dlacuaaad undar "Aaaumptlona 
and Daf Inltlona*" for auch a ayatam it la nacaaaary to daganarata aach loop 
into a componant and an avant ao that tha raaultlng logic modal ia loop-frea, 
and for which tha raault obtalnad undar '*Charactarlzation of Component 
Failure" la applicable. 

Figure 2 la a computar-ganaratad logic modal, publlahad In refai.anca 2, 
of a radio uaad axtanalvaly In Army hallcoptara auch aa tha UH-1. Thara ara 
two loopa (or cloaad dependency chalna) In thla relatively complex modal, 
which conaitta of 51 dependency chalna Involving 175 functional antitlaa. 
Concatenation of tha following four dependency chalna: 

Event A038 dapanda on componant 1044 and on event A037. 

Event A037 dapenda on componant 1043 and on event A036. 

Event A036 depanda on component (1042, 1110) and on event A076. 

Event A076 dependa on componant (1089, 1088, 1046, 1045) and on 

eventa A038, A009, AOlO, AOll. 


la a dependency chain Involving a loop, aa ahovm In figure 3. To eliminate 
thla loop, wa muat remodel the eventa A038, A037, A036, and A076 aa one event 
called Axxx, where xxx la unique In tha remaining event aet and Itema 1044, 
1043, 1042, and 1110 aa one Item lyyy or component, where yyy ia unique 


In the remaining Itema of the model. 
In the following dependency chalna: 

Event A070 dependa on component 

Event A069 dependa on component 

Event A060 dependa on component 

Event AOS 9 dependa on component 

Event A058 dependa on component 
A040, A009, AOlO, AOll. 


The other loop In the model la embedded 

1100 and on event A069. 

1099 and on event A060. 

1098 and on event A059. 

1097 and on event A058. 

(1096, 1095) and on eventa A070, 
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at ahown In figura 4. Hart, aa bafora, tha avanta Involving in tha loop aa 
wall aa tha it ana mitat ba daganaratad into a uniqua rapraaantation. Now, tha 
modal la loop-fraa, and tha apparant prica to ba paid for thia action ia an 
inability to fault iaolata down to tha aama laval if tha loop did not axiat. 

Tho foragoing modal involvaa aimpla loopa. A mora complicatad axampla 
(fig. 5) of loop ambadding ia providad by a logic modal of an on/off gating 
ciccult board (raf. 3) uaad on apacial undarwatar aurvaillanca gaar by tha 
Navy. A caraful avamination of tha modal ravaala that thara ara fiva loopa 
ambaddad in tha following aight dapandancy chaina: 


Event 

A038 

dependa 

on 

component 

1030 

and 

on 

eventa 

A045, 

A046, 

A027, 

A044. 

Event 

A045 

dependa 

on 

component 

1038 

and 

on 

eventa 

A052, 

A037. 



Event 

A052 

dependa 

on 

component 

1041 

and 

on 

eventa 

A034, 

A033. 



Event 

A046 

dependa 

on 

component 

1015 

and 

on 

eventa 

A030, 

A031. 



Event 

A027 

depmda 

3n 

component 

1015 

and 

on 

eventa 

A030, 

A031. 



Event 

A034 

dependa 

on 

component 

1023 

and 

on 

eventa 

A030, 

A040, 

A037, 

A041. 

Event 

A030 

dependa 

on 

component 

1017 

and 

on 

eventa 

A034, 

A033. 



Event 

A033 

dependa 

on 

component 

1022 

and 

on 

eventa 

A038, 

A037, 

A036. 



To obtain a loop-frae modal, we Idantlfy avanta A038, A045, A052, A046, 
A027, A034, A030, and A033 aa another evant that ia uniqua among tha ramaln- 
iAg avanta; aimilarly, itama 1030, 1017, 1023, 1015, 1038, and 1041 ahould ba 
grouped aa a new component with a uniqua identification. 


CONCLUDING REMARKS 


On the baaia of the previoualy establiahed reault that every loop-free 
logic model ia a partially ordered set, we have found that every maximal 
subaet of bad avanta correaponda to a failure component. Thia reault, 
together with the fact that every bad event of a malfunctioning ayatem 
belonga to eome maximal aubset of bad eventa, enablea ua to deduce that the 
number of failure components ia equal to or greater than the total number of 
maximal subaeta of bad eventa. The equality doea not generally hold becauae 
it ia not neceaaarily true that every failed component givea riae to a maximal 
aubaet of bad eventa. However, thia atatement la true for ayatema containing 
only at moat one failed component at a given Inatant. 
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APPENDIX 


Thtorm 2: L*t I bs a locp-fmt modsl and « < C. Than oemponoHt 

a ia matfUneticning if, far aoma output Oj of a» ia a maximat 

aubaat of tha aat of all bad avanta in X. 

Proofs Titat v« obt«fv« that Oj C X«(Oj)» to Oj !• a b«d output of 
eoupono&t «• Tho proof of tho Thtorira oou io rodueod to provo that all tha 
iaputa» to cooponant a, upon uhleh Oj dapanda ara good. Aaaumlng tha eon- 
trarp, auppoaa thara la an input a to a that la bad. Than, bp daflnltlon, 

thara Is a eooponant b C o auch that a la an output of b. Eva.it a 

balng bad^lapllaa that all tha avanta^ln Ak(s) ara bad. 5o, wa hava 
^a(Oj) ^ A«(Oj) (a> C Kb(a). But Xa<Oj) la Baxloal Inpllaa 
A«(Oj) • AbU5 ■ i^<Oj) ^ (a). Than It follows that a < Oj. Slnea L la a 
partiallp* ordarad sat» wa hava a ■ ‘Oj* or Input la tha aaaa is output* a 
contradiction. 


Thaoram 2: Suppoaa U oontaina at moat ona malfunotioning oomponant 
and L ba a loop-J^aa logic modal. Than a oomponant a c c ia malfunction-' 
ing if aid only if, for aom output Oj of a* K^(Oj) ia a masimal aubaat 
of tha aat of all bad avanta in E* ^ 

Proof: Tha proof for tha suffleiant cond:i.tion is earrlad ovar fron that 

of Thaoram 1. Now wa want to prova that It is naeassary also. Suppoaa 
X^(Oj) is not maximal. Than thara Is^a sat X^(s) such that it contains 
Aa<Oj) as a proper subsat. Now, if \(a) Is maximal * than b is malfune- 
tioning, in which wa hava a contradiction slnea U contains two fallura eom- 
ponants a and b. On tha other hand* if Ab(*) maximal* than thara 

exists such that Xk(s) C Mow applying tha sama^argumant , wa 

hava either e malfunctioning or also tha axlstanca of a sat A^(n). Tha 
process will earminata avantually since tha sat U is finite. Thus, it leads 
to a contradiction. 


Thaoran 3: Tha aat of all bad avanta ir\ of a l^op-fraa logio modal 
ia aqual to tha union of all maximal auhaata A^(Oj) in E. 

Proof: Lat^ T denote tha sat of all bad test points in E, and 
R ■ UAn, idiara A^ ■ ^A|^(Oj) and A^(Oj) is a maximal subaot for soma Oj. 

To prova tha thaoram, it is only naeassary to prova that T C R because 
obviously each alamant of R is also an alamant in T. So, lac sj ba an 
al ament in T. Na want to show that sj is an alamant of soma maximal sub- 
set. To begin with, by definition, there is a component cx having sx as 
its output. It follows Chat the sac A^^(sx) is a subset of bad test points. 

Banca, if A^ (sx) is maximal, tha assertion follows; otharwisa, thara exists 

a bad test point S 2 such chat X^^(sx) is a proper subset of A^^(*2)f ^or 

some component C 2 . Unless K. (s 2 ) is maximal, the process can ba con- 

2 

tinuad and avantually earminates itself slnea chare are only a finite number 
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of soft; points in s givsn logic nodsl. Thsrsfors, 

€ "Kf, (s|) C (t 2 ) C . . . C (s|() is msxiasl. 

12 H 

Covcllwpyi If »aoh oompomnt of a loop^fr&o logio modol ha§ only one 
output, fhen the nuniber of failed oomponmte of a mlfunotioning eyatem ia 
equal to or greater than the total number of maximal aubaeta of had eventa. 

Proof: Lot ths nonnsgstivs integer k be the nunber of feiled coapo' 

nente in the logic model under coneideretion. Then the hypotheeie end 
Theorem 1 imply thet, for eech failure component, there correoponde one end 
only one aexlmel subset of bed test points. So, we have k meximel subsets 
of bed test signals, but Theorem 2 implies these ere the only meximel subeete. 
Hence K cennot be lees then the number of meximel subsets. On the other 
hend, the converse of Theorem 1 is not necesseHl^ true. It follows that k 
cen be greeter then the total number of mexii4il subsets of the set of ell 
bed test signals. 
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Figure 5,- Logic model with loops interwoven. 
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